@storm-software/tsdown
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): SLSA provenance attestation present; gitHead absence is a minor metadata gap, not a supply chain risk for this publisher. | ai | |
| provenance | publisher-changed | AI (provenance): Transition from stormie-bot to GitHub Actions CI publisher; SLSA provenance attestation confirms legitimate CI/CD pipeline. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps are first-party Storm Software monorepo packages; consistent with internal refactoring pattern across 459 versions. | ai | |
| phantom-deps | phantom-dep:rolldown | AI (phantom-deps): Declared runtime dep; bundler integration, stable false positive. | ai | |
| phantom-deps | phantom-dep:commander | AI (phantom-deps): Declared runtime dep; CLI binary uses commander, stable false positive. | ai | |
| phantom-deps | phantom-dep:tsup | AI (phantom-deps): Declared runtime dep in package.json; used via config/build toolchain, not direct import. | ai | |
| phantom-deps | phantom-dep:source-map | AI (phantom-deps): Declared runtime dep; source map handling in build output, stable false positive. | ai | |
| phantom-deps | phantom-dep:@storm-software/config-tools | AI (phantom-deps): Same-org dep declared in dependencies; stable false positive for this package family. | ai | |
| phantom-deps | phantom-dep:es-toolkit | AI (phantom-deps): Declared runtime dep; utility library used in build toolchain. | ai | |
| phantom-deps | phantom-dep:globby | AI (phantom-deps): Declared runtime dep; used in config/build utilities, stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:chokidar | AI (phantom-deps): Declared runtime dep; used in watch/build toolchain, stable false positive. | ai |
Versions (showing 100 of 227)
| Version | Deps | Published |
|---|---|---|
| 0.45.201 | 11 / 9 | |
| 0.45.200 | 11 / 9 | |
| 0.45.199 | 11 / 9 | |
| 0.45.198 | 11 / 9 | |
| 0.45.197 | 11 / 9 | |
| 0.45.196 | 11 / 9 | |
| 0.45.195 | 11 / 9 | |
| 0.45.194 | 11 / 9 | |
| 0.45.193 | 11 / 9 | |
| 0.45.192 | 11 / 9 | |
| 0.45.191 | 11 / 9 | |
| 0.45.190 | 11 / 9 | |
| 0.45.189 | 11 / 9 | |
| 0.45.188 | 11 / 9 | |
| 0.45.187 | 11 / 9 | |
| 0.45.186 | 11 / 9 | |
| 0.45.185 | 11 / 9 | |
| 0.45.184 | 11 / 9 | |
| 0.45.183 | 11 / 9 | |
| 0.45.182 | 11 / 9 | |
| 0.45.181 | 11 / 9 | |
| 0.45.180 | 11 / 9 | |
| 0.45.179 | 11 / 9 | |
| 0.45.178 | 11 / 9 | |
| 0.45.177 | 11 / 9 | |
| 0.45.176 | 11 / 9 | |
| 0.45.175 | 11 / 9 | |
| 0.45.174 | 11 / 9 | |
| 0.45.172 | 11 / 9 | |
| 0.45.171 | 11 / 9 | |
| 0.45.170 | 11 / 9 | |
| 0.45.169 | 11 / 9 | |
| 0.45.168 | 11 / 9 | |
| 0.45.167 | 11 / 9 | |
| 0.45.166 | 11 / 9 | |
| 0.45.163 | 11 / 9 | |
| 0.45.162 | 11 / 9 | |
| 0.45.161 | 11 / 9 | |
| 0.45.160 | 11 / 9 | |
| 0.45.159 | 11 / 9 | |
| 0.45.158 | 11 / 9 | |
| 0.45.157 | 11 / 9 | |
| 0.45.156 | 11 / 9 | |
| 0.45.155 | 11 / 9 | |
| 0.45.154 | 11 / 9 | |
| 0.45.153 | 11 / 9 | |
| 0.45.152 | 11 / 9 | |
| 0.45.151 | 11 / 9 | |
| 0.45.150 | 11 / 9 | |
| 0.45.149 | 11 / 9 | |
| 0.45.148 | 11 / 9 | |
| 0.45.147 | 11 / 9 | |
| 0.45.146 | 11 / 9 | |
| 0.45.145 | 11 / 9 | |
| 0.45.144 | 11 / 9 | |
| 0.45.143 | 11 / 9 | |
| 0.43.10 | 11 / 9 | |
| 0.43.9 | 11 / 9 | |
| 0.43.8 | 11 / 9 | |
| 0.43.7 | 11 / 9 | |
| 0.43.6 | 11 / 9 | |
| 0.43.5 | 11 / 9 | |
| 0.43.4 | 11 / 9 | |
| 0.43.3 | 11 / 9 | |
| 0.43.2 | 11 / 9 | |
| 0.43.1 | 11 / 9 | |
| 0.43.0 | 11 / 9 | |
| 0.42.4 | 11 / 9 | |
| 0.42.3 | 11 / 9 | |
| 0.42.2 | 11 / 9 | |
| 0.42.1 | 11 / 9 | |
| 0.42.0 | 11 / 9 | |
| 0.41.0 | 11 / 9 | |
| 0.40.12 | 11 / 9 | |
| 0.40.11 | 11 / 9 | |
| 0.40.10 | 11 / 9 | |
| 0.40.9 | 11 / 9 | |
| 0.40.8 | 11 / 9 | |
| 0.40.7 | 11 / 9 | |
| 0.40.6 | 11 / 9 | |
| 0.40.5 | 11 / 9 | |
| 0.40.4 | 11 / 9 | |
| 0.40.2 | 11 / 9 | |
| 0.40.1 | 11 / 9 | |
| 0.40.0 | 11 / 9 | |
| 0.39.0 | 11 / 9 | |
| 0.38.19 | 11 / 9 | |
| 0.38.18 | 11 / 9 | |
| 0.38.17 | 11 / 9 | |
| 0.38.16 | 11 / 9 | |
| 0.38.15 | 11 / 9 | |
| 0.38.14 | 11 / 9 | |
| 0.38.13 | 11 / 9 | |
| 0.38.12 | 11 / 9 | |
| 0.38.11 | 11 / 9 | |
| 0.38.10 | 11 / 9 | |
| 0.38.9 | 11 / 9 | |
| 0.38.8 | 11 / 9 | |
| 0.38.7 | 11 / 9 | |
| 0.38.6 | 11 / 9 |
v0.45.201
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.200
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.199
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.198
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.197
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.196
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.195
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.194
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.193
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.192
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.191
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.190
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.189
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.188
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
This version was published by a different npm account (stormie-bot) than the most recent previously approved version (GitHub Actions) on 2026-05-22, but stormie-bot is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.45.187
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.186
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.185
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.184
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.183
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.182
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.181
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.180
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.179
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.178
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.177
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.176
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.175
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.174
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.172
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.171
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.170
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.169
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.168
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.167
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.166
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.163
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.161
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.160
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.159
2 findingsThis version was published by a different npm account than previous versions on 2026-04-14. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.158
2 findingsThis version was published by a different npm account than previous versions on 2026-04-14. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.157
2 findingsThis version was published by a different npm account than previous versions on 2026-04-10. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.156
2 findingsThis version was published by a different npm account than previous versions on 2026-04-08. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.155
2 findingsThis version was published by a different npm account than previous versions on 2026-04-07. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.154
2 findingsThis version was published by a different npm account than previous versions on 2026-04-01. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.153
2 findingsThis version was published by a different npm account than previous versions on 2026-04-01. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.152
2 findingsThis version was published by a different npm account than previous versions on 2026-04-01. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.151
2 findingsThis version was published by a different npm account than previous versions on 2026-04-01. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.150
2 findingsThis version was published by a different npm account than previous versions on 2026-04-01. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.149
2 findingsThis version was published by a different npm account than previous versions on 2026-04-01. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.148
2 findingsThis version was published by a different npm account than previous versions on 2026-04-01. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.147
2 findingsThis version was published by a different npm account than previous versions on 2026-04-01. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.146
2 findingsThis version was published by a different npm account than previous versions on 2026-03-31. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.145
2 findingsThis version was published by a different npm account than previous versions on 2026-03-31. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.144
2 findingsThis version was published by a different npm account than previous versions on 2026-03-31. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.143
2 findingsThis version was published by a different npm account than previous versions on 2026-03-28. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.43.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.43.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.43.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.43.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.43.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.43.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.43.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.43.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.43.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.43.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.43.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.42.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.42.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.42.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.42.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.42.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.41.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.40.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.40.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.40.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.40.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.40.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.40.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.40.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.40.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.40.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.40.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.40.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.40.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.39.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.38.19
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.38.18
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.38.17
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.38.16
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.38.15
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.38.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.38.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.38.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.38.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.38.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.38.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.38.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.38.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.38.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.